| <html><head> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
| <title>Setting Port 80 Access for a Non-Root User</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-connectors.html" title="Chapter 6. Configuring Jetty Connectors"><link rel="prev" href="configuring-ssl.html" title="Configuring SSL/TLS"><link rel="next" href="configuring-security.html" title="Chapter 7. Configuring Security"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script> |
| hljs.initHighlightingOnLoad(); |
| </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small"> |
| Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Setting Port 80 Access for a Non-Root User</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 6. Configuring Jetty Connectors<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at |
| <span class="website">www.webtide.com</span></a></h5><p> |
| private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... |
| scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development |
| </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="setting-port80-access"></a>Setting Port 80 Access for a Non-Root User</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="setting-port80-access.html#using-ipchains">Using ipchains</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-iptables">Using iptables</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#configuring-jetty-setuid-feature">Configuring Jetty’s SetUID Feature</a></span></dt><dt><span class="section"><a href="setting-port80-access.html#using-solaris10-user-rights-management-framework">Using the Solaris 10 User Rights Management Framework</a></span></dt></dl></div><p>On Unix-based systems, port 80 is protected; typically only the superuser <code class="literal">root</code> can open it. For security reasons, it is not desirable to run the server as <code class="literal">root</code>. |
| This page presents several options to access port 80 as a non-root user, including using <code class="literal">ipchains</code>, <code class="literal">iptables</code>, Jetty’s SetUID feature, <code class="literal">xinetd</code>, and the Solaris 10 User Rights Management Framework.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-ipchains"></a>Using ipchains</h3></div></div></div><p>On some Linux systems you can use the <span class="emphasis"><em>ipchains REDIRECT</em></span> mechanism to redirect from one port to another inside the kernel (if <code class="literal">ipchains</code> is not available, then <code class="literal">iptables</code> usually is):</p><div class="screenexample"><pre class="screen"># /sbin/ipchains -I input --proto TCP --dport 80 -j REDIRECT 8080</pre></div><p>This command instructs the system as follows: "Insert into the kernel’s packet filtering the following as the first rule to check on incoming packets: if the protocol is TCP and the destination port is 80, redirect the packet to port 8080". |
| Be aware that your kernel must be compiled with support for <code class="literal">ipchains</code> (virtually all stock kernels are). |
| You must also have the <code class="literal">ipchains</code> command-line utility installed. |
| You can run this command at any time, preferably just once, since it inserts another copy of the rule every time you run it.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-iptables"></a>Using iptables</h3></div></div></div><p>On many Linux systems you can use the <code class="literal">iptables</code> REDIRECT mechanism to redirect from one port to another inside the kernel (if <code class="literal">iptables</code> is not available, then usually <code class="literal">ipchains</code> is).</p><p>You need to add something like the following to the startup scripts or your firewall rules:</p><div class="screenexample"><pre class="screen"># /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080</pre></div><p>The underlying model of <code class="literal">iptables</code> is different from <code class="literal">ipchains</code>, so the forwarding normally happens only to packets originating outside of the server itself. |
| You also need to allow incoming packets to port 8080 if you use <code class="literal">iptables</code> as a local firewall.</p><p>Be careful to place rules like this one early in your <span class="emphasis"><em>input</em></span> chain. |
| Such rules must precede any rule that accepts the packet, otherwise the redirection won’t occur. |
| You can insert as many rules as required if your server needs to listen on multiple ports, as for HTTPS.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="configuring-jetty-setuid-feature"></a>Configuring Jetty’s SetUID Feature</h3></div></div></div><p><a class="link" href="http://en.wikipedia.org/wiki/Setuid" target="_top">SetUID</a> is a technique that uses Unix-like file system access rights to allow users to run an executable that would otherwise require higher privileges.</p><p>Jetty’s <code class="literal">SetUID</code> module allows you to run Jetty as a normal user even when you need to run Jetty on port 80 or 443.</p><p>To use it with the Jetty distribution:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Ensure that you have the <code class="literal">http.mod</code> (and <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> if you are using SSL) <a class="link" href="startup-modules.html" title="Managing Startup Modules">modules enabled</a> for the <a class="link" href="quickstart-running-jetty.html#creating-jetty-base" title="Creating a new Jetty Base">base</a> you are using. |
| The <code class="literal">http.mod</code> is enabled by default in the distribution, while the <a class="link" href="quickstart-running-jetty.html#quickstart-starting-https" title="Adding SSL for HTTPS & HTTP2">https.mod</a> is only enabled in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory.</li><li class="listitem">Ensure that you have <a class="link" href="quickstart-running-jetty.html#quickstart-changing-jetty-port" title="Changing the Jetty Port">changed the http port</a> to 80 (and <a class="link" href="quickstart-running-jetty.html#quickstart-changing-https-port" title="Changing the Jetty HTTPS Port">changed the https port</a> to 443 if you are using SSL).</li><li class="listitem"><p class="simpara">Enable the <code class="literal">setuid.mod</code> module:</p><div class="screenexample"><pre class="screen"># java -jar start.jar --add-to-start=setuid</pre></div><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>The --add-to-start command will enable the setuid module for this and all subsequent executions of jetty. |
| There are other ways to enable the module, such as for a single execution. |
| For more information on the alternatives see the section on <a class="link" href="startup-modules.html" title="Managing Startup Modules">Managing Startup Modules</a>.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">Edit the configuration for the <code class="literal">setuid</code> module to substitute the <code class="literal">userid</code> and <code class="literal">groupid</code> of the user to switch to after starting. |
| If you used the <code class="literal">--add-to-start</code> command, this configuration is in the <code class="literal">start.ini</code> file. |
| If you used the <code class="literal">--add-to-startd</code> command instead, this configuration is in the <code class="literal">start.d/setuid.ini</code> file instead.</p><pre class="literallayout">Below are the lines to configure:</pre><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>jetty.startServerAsPrivileged=false |
| jetty.username=foo |
| jetty.groupname=bar |
| jetty.umask=002</code></pre><div class="blockquote"><blockquote class="blockquote"><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><i class="fa fa-asterisk" aria-hidden="true"></i> Note</h3><p>As well as opening the connectors as <code class="literal">root</code>, you can also have Jetty start the Server as <code class="literal">root</code> before changing to the non-<code class="literal">root</code> user.</p></div></blockquote></div></li><li class="listitem"><p class="simpara">A native code library is required to perform user switching. |
| This code is hosted as part of the Jetty ToolChain project and is released independently from Jetty itself. |
| You can find the source code <a class="link" href="https://github.com/eclipsejetty.toolchain" target="_top">here</a> in the <a class="link" href="https://github.com/eclipse/jetty.toolchain/jetty-setuid" target="_top">jetty-setuid</a> project. |
| Build it locally, which will produce a native library appropriate for the operating system:</p><div class="screenexample"><pre class="screen"># mvn clean install</pre></div><p class="simpara">If you built on a linux machine you will find the native library in <code class="literal">jetty-setuid/libsetuid-linux/target/libsetuid-linux.so</code>. |
| If you built on a different operating system you will find the library in a different subdirectory, with the name containing the name of the operating system. |
| You may want copy this file into your Jetty distribution’s lib directory.</p></li><li class="listitem"><p class="simpara">Start Jetty as the <code class="literal">root</code> user in your base directory, providing the location of the native library to Java. |
| Below is an example of how to do it from the command line, assuming you are in the <a class="link" href="quickstart-running-jetty.html#demo-webapps-base" title="Demo Base">demo-base</a> directory:</p><div class="screenexample"><pre class="screen"># sudo java -Djava.library.path=libsetuid-linux -jar $JETTY_HOME/start.jar</pre></div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="using-solaris10-user-rights-management-framework"></a>Using the Solaris 10 User Rights Management Framework</h3></div></div></div><p>Solaris 10 provides a User Rights Management framework that can permit users and processes superuser-like abilities:</p><div class="screenexample"><pre class="screen">usermod -K defaultpriv=basic,net_privaddr myself</pre></div><p>Now the <code class="literal">myself</code> user can bind to port 80.</p><p>Refer to the <a class="link" href="http://docs.oracle.com/cd/E23823_01/html/816-4557/prbactm-1.html#scrolltoc" target="_top">Solaris 10</a> and <a class="link" href="http://docs.oracle.com/cd/E23824_01/html/821-1456/prbactm-1.html#scrolltoc" target="_top">Solaris 11 Security Services documentation</a> for more information.</p></div></div><script type="text/javascript"> |
| SyntaxHighlighter.all() |
| </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="configuring-ssl.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-connectors.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-security.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Configuring SSL/TLS </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Configuring Security</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout"> |
| See an error or something missing? |
| <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at |
| <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html> |